Hello everyone,I have a network that was configured a few years ago with a FortiGate (FG) using a "hardware switch" on ports 1, 2, and 3. The setup is as follows:"internal1" interface:Contains three VLANs:VLAN 1: Used as the core VLAN (I know this is not ideal, but I am not authorized to change it).VLAN 100: Network exclusively for wireless clients.VLAN 1005: Network for phones.Network topology:FG -- Cisco Switch-- FortiSwitch 108 (FSW)The FSW is connected to the FortiGate through "internal1."I configured the FG to recognize and manage the FSW via FortiLink, even though it is not directly connected.FortiLink configuration:I created VLANs 100 and 1005 within FortiLink, assigning them IP addresses and DHCP servers different from those in "internal1."Issue:The VLANs configured on the FSW via FortiLink have no connectivity and do not receive IP addresses via DHCP.I have already configured the ports on the intermediate switches (Cisco and HPE) to allow all VLANs, but the issue persists.Any ideas on what might be missing or how to fix this? I appreciate any guidance.Best regards.

Explorer

Solved

Issue with VLANs in FortiLink and FSW – No DHCP on vlans

Forum|Forum|1 year ago
March 6, 2025
4 replies
2396 views

Hello everyone,

I have a network that was configured a few years ago with a FortiGate (FG) using a "hardware switch" on ports 1, 2, and 3. The setup is as follows:

"internal1" interface:
- Contains three VLANs:
  - VLAN 1: Used as the core VLAN (I know this is not ideal, but I am not authorized to change it).
  - VLAN 100: Network exclusively for wireless clients.
  - VLAN 1005: Network for phones.
Network topology:
- FG -- Cisco Switch-- FortiSwitch 108 (FSW)
- The FSW is connected to the FortiGate through "internal1."
- I configured the FG to recognize and manage the FSW via FortiLink, even though it is not directly connected.
FortiLink configuration:
- I created VLANs 100 and 1005 within FortiLink, assigning them IP addresses and DHCP servers different from those in "internal1."

Issue:
The VLANs configured on the FSW via FortiLink have no connectivity and do not receive IP addresses via DHCP.
I have already configured the ports on the intermediate switches (Cisco and HPE) to allow all VLANs, but the issue persists.

Any ideas on what might be missing or how to fix this? I appreciate any guidance.

Best regards.

Best answer by Igneus

Hi

Thank you for your clarification. I understand that FortiLink and local interfaces are usually treated as independent networks.

However, in my lab I was able to successfully extend VLANs (e.g. VLAN 1001–1009) from a VLAN switch (port1) into the FortiLink network. The FortiSwitch behind a Cisco switch was detected and managed by the FortiGate without issues, and clients on the FortiSwitch were able to obtain IPs from the VLAN defined on the FortiGate.

So in practice, it seems possible to bridge/extend VLANs from a local interface into the FortiLink domain, even though it might not be the recommended or supported approach.

Just wanted to share this observation from my testing
from march to now working without any issue

riteshpv

Staff

Hi,

As I understand you are trying to setup FSW on Fortilink with Cisco switch in between.

This is not a recommended design for Fortilink L2 deployment.

1> Either you setup this FSW directly connected to FGT this is a L2 setup.

2> Or have Cisco connected between FSW with one FSW directly connected to FGT. Information in below link:

https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-P2P-supported-network-topologies/ta-p/224421

Regards,

Ritesh P V

IgneusAuthor

Explorer

In this scenario, I have the option to connect FG directly to FSW. However, I face this issue—I need to 'share' VLANs between the Internal and FortiLink ports, using the same DHCP server and gateway. I don’t want to make my FortiGate configuration more complex than necessary.
is this possible?

riteshpv

Staff

Hi,

I believe their is a FGT internal interface (let say port10) under this you have vlan 50.

You want to share/extend this vlan50 to fortilink network. i.e client on FSW want to get Ip from vlan50.

If the above is true then it is not possible as the internal port10 and fortilink network are independent network/port.

Regards,

Ritesh P V

IgneusAuthorAnswer

Explorer

Hi

Thank you for your clarification. I understand that FortiLink and local interfaces are usually treated as independent networks.

However, in my lab I was able to successfully extend VLANs (e.g. VLAN 1001–1009) from a VLAN switch (port1) into the FortiLink network. The FortiSwitch behind a Cisco switch was detected and managed by the FortiGate without issues, and clients on the FortiSwitch were able to obtain IPs from the VLAN defined on the FortiGate.

So in practice, it seems possible to bridge/extend VLANs from a local interface into the FortiLink domain, even though it might not be the recommended or supported approach.

Just wanted to share this observation from my testing
from march to now working without any issue

taulaba7

New Member

Yes, you can extend the existing port by making sure the fortiswitch port allows the correct vlans. As to vlan 1 -- this is a default used by Fortigates to manage fortiswitches. This is likely why you're having an issue. I personally ran into that one albeit via the fortilink interface. I moved my vlans to a fortilink and would recommend doing the same for ease of setup personally but your mileage may vary.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded